Merge pull request #15412 from Security-Onion-Solutions/reyesj2-patch-9

missing  updates to variables

pillar/ca/init.sls

@@ -0,0 +1,2 @@
+ca:
+  server:

pillar/top.sls

@@ -1,5 +1,6 @@
 base:
   '*':
+    - ca
     - global.soc_global
     - global.adv_global
     - docker.soc_docker

salt/allowed_states.map.jinja

@@ -15,11 +15,7 @@
     'salt.minion-check',
     'sensoroni',
     'salt.lasthighstate',
-    'salt.minion'
-] %}
-
-{% set ssl_states = [
-    'ssl',
+    'salt.minion',
     'telegraf',
     'firewall',
     'schedule',
@@ -28,7 +24,7 @@
 
 {% set manager_states = [
     'salt.master',
-    'ca',
+    'ca.server',
     'registry',
     'manager',
     'nginx',
@@ -75,28 +71,24 @@
     {# Map role-specific states #}
     {% set role_states = {
         'so-eval': (
-            ssl_states +
             manager_states +
             sensor_states +
-            elastic_stack_states | reject('equalto', 'logstash') | list
+            elastic_stack_states | reject('equalto', 'logstash') | list +
+            ['logstash.ssl']
         ),
         'so-heavynode': (
-            ssl_states +
             sensor_states +
             ['elasticagent', 'elasticsearch', 'logstash', 'redis', 'nginx']
         ),
         'so-idh': (
-            ssl_states +
             ['idh']
         ),
         'so-import': (
-            ssl_states +
             manager_states +
             sensor_states | reject('equalto', 'strelka') | reject('equalto', 'healthcheck') | list +
-            ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'strelka.manager']
+            ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'logstash.ssl', 'strelka.manager']
         ),
         'so-manager': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] +
             stig_states +
@@ -104,7 +96,6 @@
             elastic_stack_states
         ),
         'so-managerhype': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'strelka.manager', 'hypervisor', 'libvirt'] +
             stig_states +
@@ -112,7 +103,6 @@
             elastic_stack_states
         ),
         'so-managersearch': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] +
             stig_states +
@@ -120,12 +110,10 @@
             elastic_stack_states
         ),
         'so-searchnode': (
-            ssl_states +
             ['kafka.ca', 'kafka.ssl', 'elasticsearch', 'logstash', 'nginx'] +
             stig_states
         ),
         'so-standalone': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] +
             sensor_states +
@@ -134,29 +122,24 @@
             elastic_stack_states
         ),
         'so-sensor': (
-            ssl_states +
             sensor_states +
             ['nginx'] +
             stig_states
         ),
         'so-fleet': (
-            ssl_states +
             stig_states +
             ['logstash', 'nginx', 'healthcheck', 'elasticfleet']
         ),
         'so-receiver': (
-            ssl_states +
             kafka_states +
             stig_states +
             ['logstash', 'redis']
         ),
         'so-hypervisor': (
-            ssl_states +
             stig_states +
             ['hypervisor', 'libvirt']
         ),
         'so-desktop': (
-            ['ssl', 'docker_clean', 'telegraf'] +
             stig_states
         )
     } %}

salt/ca/dirs.sls

@@ -1,4 +0,0 @@
-pki_issued_certs:
-  file.directory:
-    - name: /etc/pki/issued_certs
-    - makedirs: True

salt/ca/init.sls

@@ -3,70 +3,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-
 include:
-  - ca.dirs
-
-/etc/salt/minion.d/signing_policies.conf:
-  file.managed:
-    - source: salt://ca/files/signing_policies.conf
-
-pki_private_key:
-  x509.private_key_managed:
-    - name: /etc/pki/ca.key
-    - keysize: 4096
-    - passphrase:
-    - backup: True
-    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
-    - prereq:
-      - x509: /etc/pki/ca.crt
-    {%- endif %}
-
-pki_public_ca_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/ca.crt
-    - signing_private_key: /etc/pki/ca.key
-    - CN: {{ GLOBALS.manager }}
-    - C: US
-    - ST: Utah
-    - L: Salt Lake City
-    - basicConstraints: "critical CA:true"
-    - keyUsage: "critical cRLSign, keyCertSign"
-    - extendedkeyUsage: "serverAuth, clientAuth"
-    - subjectKeyIdentifier: hash
-    - authorityKeyIdentifier: keyid:always, issuer
-    - days_valid: 3650
-    - days_remaining: 0
-    - backup: True
-    - replace: False
-    - require:
-      - sls: ca.dirs
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-mine_update_ca_crt:
-  module.run:
-    - mine.update: []
-    - onchanges:
-      - x509: pki_public_ca_crt
-
-cakeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/ca.key
-    - mode: 640
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
+{% if GLOBALS.is_manager %}
+  - ca.server
 {% endif %}
+  - ca.trustca

salt/ca/map.jinja

@@ -0,0 +1,3 @@
+{% set CA = {
+    'server': pillar.ca.server
+}%}

salt/ca/remove.sls

@@ -1,7 +1,35 @@
-pki_private_key:
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% set setup_running = salt['cmd.retcode']('pgrep -x so-setup') == 0 %}
+
+{% if setup_running%}
+
+include:
+  - ssl.remove
+
+remove_pki_private_key:
   file.absent:
     - name: /etc/pki/ca.key
 
-pki_public_ca_crt:
+remove_pki_public_ca_crt:
   file.absent:
     - name: /etc/pki/ca.crt
+
+remove_trusttheca:
+  file.absent:
+    - name: /etc/pki/tls/certs/intca.crt
+
+remove_pki_public_ca_crt_symlink:
+  file.absent:
+    - name: /opt/so/saltstack/local/salt/ca/files/ca.crt
+
+{% else %}
+
+so-setup_not_running:
+  test.show_notification:
+    - text: "This state is reserved for usage during so-setup."
+
+{% endif %}

salt/ca/server.sls

@@ -0,0 +1,63 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+pki_private_key:
+  x509.private_key_managed:
+    - name: /etc/pki/ca.key
+    - keysize: 4096
+    - passphrase:
+    - backup: True
+    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
+    - prereq:
+      - x509: /etc/pki/ca.crt
+    {%- endif %}
+
+pki_public_ca_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/ca.crt
+    - signing_private_key: /etc/pki/ca.key
+    - CN: {{ GLOBALS.manager }}
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - extendedkeyUsage: "serverAuth, clientAuth"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid:always, issuer
+    - days_valid: 3650
+    - days_remaining: 7
+    - backup: True
+    - replace: False
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+pki_public_ca_crt_symlink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/ca/files/ca.crt
+    - target: /etc/pki/ca.crt
+    - require:
+      - x509: pki_public_ca_crt
+
+cakeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/ca.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/ca/signing_policy.sls

@@ -0,0 +1,15 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# when the salt-minion signs the cert, a copy is stored here
+issued_certs_copypath:
+  file.directory:
+    - name: /etc/pki/issued_certs
+    - makedirs: True
+
+signing_policy:
+  file.managed:
+    - name: /etc/salt/minion.d/signing_policies.conf
+    - source: salt://ca/files/signing_policies.conf

salt/ca/trustca.sls

@@ -0,0 +1,26 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - docker
+
+# Trust the CA
+trusttheca:
+  file.managed:
+    - name: /etc/pki/tls/certs/intca.crt
+    - source: salt://ca/files/ca.crt
+    - watch_in:
+      - service: docker_running
+    - show_changes: False
+    - makedirs: True
+
+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}

salt/common/init.sls

@@ -177,7 +177,7 @@ so-status_script:
     - source: salt://common/tools/sbin/so-status
     - mode: 755
 
-{% if GLOBALS.role in GLOBALS.sensor_roles %}
+{% if GLOBALS.is_sensor %}
 # Add sensor cleanup
 so-sensor-clean:
   cron.present:

salt/common/tools/sbin/so-common

@@ -554,21 +554,39 @@ run_check_net_err() {
 }
 
 wait_for_salt_minion() {
-	local minion="$1"
-	local timeout="${2:-5}"
-	local logfile="${3:-'/dev/stdout'}"
-	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
-	local attempt=0
-	# each attempts would take about 15 seconds
-	local maxAttempts=20
-	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
-		attempt=$((attempt+1))
-		if [[ $attempt -eq $maxAttempts ]]; then
-			return 1
-		fi
-		sleep 10
-	done
-	return 0
+    local minion="$1"
+    local max_wait="${2:-30}"
+    local interval="${3:-2}"
+    local logfile="${4:-'/dev/stdout'}"
+    local elapsed=0
+
+	echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting for salt-minion '$minion' to be ready..."
+
+    while [ $elapsed -lt $max_wait ]; do
+        # Check if service is running
+		echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Check if salt-minion service is running"
+        if ! systemctl is-active --quiet salt-minion; then
+            echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion service not running (elapsed: ${elapsed}s)"
+            sleep $interval
+            elapsed=$((elapsed + interval))
+            continue
+        fi
+		echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion service is running"
+
+        # Check if minion responds to ping
+		echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Check if $minion responds to ping"
+        if salt "$minion" test.ping --timeout=3 --out=json 2>> "$logfile" | grep -q "true"; then
+            echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion '$minion' is connected and ready!"
+            return 0
+        fi
+        
+        echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting... (${elapsed}s / ${max_wait}s)"
+        sleep $interval
+        elapsed=$((elapsed + interval))
+    done
+
+    echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - ERROR: salt-minion '$minion' not ready after $max_wait seconds"
+    return 1
 }
 
 salt_minion_count() {

salt/common/tools/sbin/so-log-check

@@ -130,6 +130,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP"     # SO does not bundle the maxminddb with Zeek
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found"          # Salt loops until Kratos returns 200, during startup Kratos may not be ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
 fi
 
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -160,6 +161,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline"       # false positive (elasticsearch ingest pipeline names contain 'error') 
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating index template"      # false positive (elasticsearch index or template names contain 'error') 
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating component template"  # false positive (elasticsearch index or template names contain 'error') 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading component template"  # false positive (elasticsearch index or template names contain 'error')
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading composable template" # false positive (elasticsearch composable template names contain 'error')
 fi
 

salt/desktop/trusted-ca.sls

@@ -3,29 +3,16 @@
 {# we only want this state to run it is CentOS #}
 {% if GLOBALS.os == 'OEL' %}
 
-  {% set global_ca_text = [] %}
-  {% set global_ca_server = [] %}
-  {% set manager = GLOBALS.manager %}
-  {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
-    {% for host in x509dict %}
-      {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import', 'eval'] %}
-        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
-        {% do global_ca_server.append(host) %}
-      {% endif %}
-    {% endfor %}
-  {% set trusttheca_text = global_ca_text[0] %}
-  {% set ca_server = global_ca_server[0] %}
-
 trusted_ca:
-  x509.pem_managed:
+  file.managed:
     - name: /etc/pki/ca-trust/source/anchors/ca.crt
-    - text:  {{ trusttheca_text }}
+    - source: salt://ca/files/ca.crt
 
 update_ca_certs:
   cmd.run:
     - name: update-ca-trust
     - onchanges:
-      - x509: trusted_ca
+      - file: trusted_ca
 
 {% else %}
 

salt/docker/init.sls

@@ -6,9 +6,9 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-# include ssl since docker service requires the intca
+# docker service requires the ca.crt
 include:
-  - ssl
+  - ca
 
 dockergroup:
   group.present:
@@ -89,10 +89,9 @@ docker_running:
     - enable: True
     - watch:
       - file: docker_daemon
-      - x509: trusttheca
     - require:
       - file: docker_daemon
-      - x509: trusttheca
+      - file: trusttheca
 
 
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present

salt/elasticagent/enabled.sls

@@ -9,6 +9,7 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 
 include:
+  - ca
   - elasticagent.config
   - elasticagent.sostatus
 
@@ -55,8 +56,10 @@ so-elastic-agent:
       {% endif %}
     - require:
       - file: create-elastic-agent-config
+      - file: trusttheca
     - watch:
       - file: create-elastic-agent-config
+      - file: trusttheca
 
 delete_so-elastic-agent_so-status.disabled:
   file.uncomment:

salt/elasticfleet/config.sls

@@ -95,6 +95,9 @@ soresourcesrepoclone:
     - rev: 'main'
     - depth: 1
     - force_reset: True
+    - retry:
+        attempts: 3
+        interval: 10
 {% endif %}
 
 elasticdefendconfdir:

salt/elasticfleet/enabled.sls

@@ -13,9 +13,11 @@
 {%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
 
 include:
+  - ca
+  - logstash.ssl
+  - elasticfleet.ssl
   - elasticfleet.config
   - elasticfleet.sostatus
-  - ssl
 
 {% if grains.role not in ['so-fleet'] %}
 # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready
@@ -133,6 +135,11 @@ so-elastic-fleet:
         {% endfor %}
       {% endif %}
     - watch:
+      - file: trusttheca
+      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleet_crt
+    - require:
+      - file: trusttheca
       - x509: etc_elasticfleet_key
       - x509: etc_elasticfleet_crt
 {%   endif %}

salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json

@@ -2,7 +2,7 @@
 {%- raw -%}
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "import-zeek-logs",
@@ -10,19 +10,31 @@
   "description": "Zeek Import logs",
   "policy_id": "so-grid-nodes_general",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/import/*/zeek/logs/*.log"
             ],
             "data_stream.dataset": "import",
-            "tags": [],
+            "pipeline": "",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": ["({%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}).log$"],
+            "include_files": [],
             "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"import.file\").slice(0,-4);\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n      imported: true\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"",
-            "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }

salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json

@@ -11,36 +11,51 @@
 {%- endif -%}
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "kratos-logs",
-  "namespace": "so",
   "description": "Kratos logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/kratos/kratos.log"
             ],
             "data_stream.dataset": "kratos",
-            "tags": ["so-kratos"],
+            "pipeline": "kratos",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             {%- if valid_identities -%}
             "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos\n- if:\n    has_fields:\n      - identity_id\n  then:{% for id, email in identities %}\n    - if:\n        equals:\n          identity_id: \"{{ id }}\"\n      then:\n        - add_fields:\n            target: ''\n            fields:\n              user.name: \"{{ email }}\"{% endfor %}",
             {%- else -%}
             "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos",
             {%- endif -%}
-            "custom": "pipeline: kratos"
+            "tags": [
+              "so-kratos"
+            ],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
-
+}

salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json

@@ -2,28 +2,38 @@
 {%- raw -%}
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
-  "id": "zeek-logs",
   "name": "zeek-logs",
   "namespace": "so",
   "description": "Zeek logs",
   "policy_id": "so-grid-nodes_general",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/zeek/logs/current/*.log"
             ],
             "data_stream.dataset": "zeek",
-            "tags": [],
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": ["({%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}).log$"],
+            "include_files": [],
             "processors": "- dissect:\n    tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n    field: \"log.file.path\"\n    trim_chars: \".log\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"pipeline\");\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"",
-            "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
@@ -31,4 +41,4 @@
   },
   "force": true
 }
-{%- endraw -%}
+{%- endraw -%}

salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json

@@ -1,26 +1,43 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "hydra-logs",
-  "namespace": "so",
   "description": "Hydra logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/hydra/hydra.log"
             ],
             "data_stream.dataset": "hydra",
-            "tags": ["so-hydra"],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: hydra",
-            "custom": "pipeline: hydra"
+            "pipeline": "hydra",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
+            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: hydra",
+            "tags": [
+              "so-hydra"
+            ],
+            "recursive_glob": true,
+            "ignore_older": "72h",
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
@@ -28,3 +45,5 @@
   },
   "force": true
 }
+
+

salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json

@@ -1,30 +1,44 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "idh-logs",
-  "namespace": "so",
   "description": "IDH integration",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/idh/opencanary.log"
             ],
             "data_stream.dataset": "idh",
-            "tags": [],
+            "pipeline": "common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- convert:\n    fields:\n      - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n- drop_fields:\n    when:\n      equals:\n        event.code: \"1001\"\n    fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n    ignore_missing: true\n- rename:\n    fields:\n      - from: \"src_host\"\n        to: \"source.ip\"\n      - from: \"src_port\"\n        to: \"source.port\"\n      - from: \"dst_host\"\n        to: \"destination.host\"\n      - from: \"dst_port\"\n        to: \"destination.port\"\n    ignore_missing: true\n- drop_fields:\n    fields: '[\"prospector\", \"input\", \"offset\", \"beat\"]'\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: opencanary",
-            "custom": "pipeline: common"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json

@@ -1,33 +1,46 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "import-evtx-logs",
-  "namespace": "so",
   "description": "Import Windows EVTX logs",
   "policy_id": "so-grid-nodes_general",
-  "vars": {},
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/import/*/evtx/*.json"
             ],
             "data_stream.dataset": "import",
-            "custom": "",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true\n- add_fields:\n    target: \"@metadata\"\n    fields:\n        pipeline: logs-system.security-2.6.1\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.sysmon_operational-3.1.2\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.application-2.6.1\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.system-2.6.1\n    \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.powershell_operational-3.1.2\n- add_fields:\n    target: data_stream\n    fields:\n        dataset: import",
             "tags": [
               "import"
-            ]
+            ],
+            "recursive_glob": true,
+            "ignore_older": "72h",
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json

@@ -1,30 +1,45 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "import-suricata-logs",
-  "namespace": "so",
   "description": "Import Suricata logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/import/*/suricata/eve*.json"
             ],
             "data_stream.dataset": "import",
+            "pipeline": "suricata.common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
+            "processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: suricata\n      imported: true\n- dissect:\n      tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n      field: \"log.file.path\"\n      target_prefix: \"\"\n",
             "tags": [],
-            "processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: suricata\n      imported: true\n- dissect:\n      tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n      field: \"log.file.path\"\n      target_prefix: \"\"",
-            "custom": "pipeline: suricata.common"
+            "recursive_glob": true,
+            "ignore_older": "72h",
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json

@@ -1,18 +1,17 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "rita-logs",
-  "namespace": "so",
   "description": "RITA Logs",
   "policy_id": "so-grid-nodes_general",
-  "vars": {},
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
@@ -20,15 +19,28 @@
               "/nsm/rita/exploded-dns.csv",
               "/nsm/rita/long-connections.csv"
             ],
-            "exclude_files": [],
-            "ignore_older": "72h",
             "data_stream.dataset": "rita",
-            "tags": [],
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- dissect:\n    tokenizer: \"/nsm/rita/%{pipeline}.csv\"\n    field: \"log.file.path\"\n    trim_chars: \".csv\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"pipeline\").split(\"-\");\n          if (pl.length > 1) {\n            pl = pl[1];\n          }\n          else {\n            pl = pl[0];\n          }\n          event.Put(\"@metadata.pipeline\", \"rita.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: rita",
-            "custom": "exclude_lines: ['^Score', '^Source', '^Domain', '^No results']"
+            "tags": [],
+            "recursive_glob": true,
+            "ignore_older": "72h",
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
-  }
+  },
+  "force": true
 }

salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json

@@ -1,29 +1,41 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "so-ip-mappings",
-  "namespace": "so",
   "description": "IP Description mappings",
   "policy_id": "so-grid-nodes_general",
-  "vars": {},
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/custom-mappings/ip-descriptions.csv"
             ],
             "data_stream.dataset": "hostnamemappings",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
+            "processors": "- decode_csv_fields:\n    fields:\n      message: decoded.csv\n    separator: \",\"\n    ignore_missing: false\n    overwrite_keys: true\n    trim_leading_space: true\n    fail_on_error: true\n\n- extract_array:\n    field: decoded.csv\n    mappings:\n      so.ip_address: '0'\n      so.description: '1'\n\n- script:\n    lang: javascript\n    source: >\n      function process(event) {\n          var ip = event.Get('so.ip_address');\n          var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n          if (!validIpRegex.test(ip)) {\n              event.Cancel();\n          }\n      }\n- fingerprint:\n    fields: [\"so.ip_address\"]\n    target_field: \"@metadata._id\"\n",
             "tags": [
               "so-ip-mappings"
             ],
-            "processors": "- decode_csv_fields:\n    fields:\n      message: decoded.csv\n    separator: \",\"\n    ignore_missing: false\n    overwrite_keys: true\n    trim_leading_space: true\n    fail_on_error: true\n\n- extract_array:\n    field: decoded.csv\n    mappings:\n      so.ip_address: '0'\n      so.description: '1'\n\n- script:\n    lang: javascript\n    source: >\n      function process(event) {\n          var ip = event.Get('so.ip_address');\n          var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n          if (!validIpRegex.test(ip)) {\n              event.Cancel();\n          }\n      }\n- fingerprint:\n    fields: [\"so.ip_address\"]\n    target_field: \"@metadata._id\"\n",
-            "custom": ""
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
@@ -31,5 +43,3 @@
   },
   "force": true
 }
-
-

salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json

@@ -1,30 +1,44 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "soc-auth-sync-logs",
-  "namespace": "so",
   "description": "Security Onion - Elastic Auth Sync - Logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/soc/sync.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
+            "pipeline": "common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- dissect:\n    tokenizer: \"%{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: auth_sync",
-            "custom": "pipeline: common"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/soc-detections-logs.json

@@ -1,35 +1,48 @@
 {
-  "policy_id": "so-grid-nodes_general",
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "soc-detections-logs",
   "description": "Security Onion Console - Detections Logs",
+  "policy_id": "so-grid-nodes_general",
   "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/soc/detections_runtime-status_sigma.log",
               "/opt/so/log/soc/detections_runtime-status_yara.log"
             ],
-            "exclude_files": [],
-            "ignore_older": "72h",
             "data_stream.dataset": "soc",
+            "pipeline": "common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
+            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: detections\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
             "tags": [
               "so-soc"
             ],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: detections\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
+            "recursive_glob": true,
+            "ignore_older": "72h",
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json

@@ -1,30 +1,46 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "soc-salt-relay-logs",
-  "namespace": "so",
   "description": "Security Onion - Salt Relay - Logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/soc/salt-relay.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
+            "pipeline": "common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- dissect:\n    tokenizer: \"%{soc.ts} | %{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: salt_relay",
-            "custom": "pipeline: common"
+            "tags": [
+              "so-soc"
+            ],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json

@@ -1,30 +1,44 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "soc-sensoroni-logs",
-  "namespace": "so",
   "description": "Security Onion - Sensoroni - Logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/sensoroni/sensoroni.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": [],
+            "pipeline": "common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"sensoroni\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: sensoroni\n- rename:\n    fields:\n      - from: \"sensoroni.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"sensoroni.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"sensoroni.fields.method\"\n        to: \"http.request.method\"\n      - from: \"sensoroni.fields.path\"\n        to: \"url.path\"\n      - from: \"sensoroni.message\"\n        to: \"event.action\"\n      - from: \"sensoroni.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
-  "force": true
-}
+"force": true
+}

salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json

@@ -1,30 +1,46 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "soc-server-logs",
-  "namespace": "so",
   "description": "Security Onion Console Logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/opt/so/log/soc/sensoroni-server.log"
             ],
             "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
+            "pipeline": "common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: server\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
+            "tags": [
+              "so-soc"
+            ],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json

@@ -1,30 +1,44 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "strelka-logs",
-  "namespace": "so",
-  "description": "Strelka logs",
+  "description": "Strelka Logs",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/strelka/log/strelka.log"
             ],
             "data_stream.dataset": "strelka",
-            "tags": [],
+            "pipeline": "strelka.file",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- add_fields:\n    target: event\n    fields:\n      category: file\n      module: strelka",
-            "custom": "pipeline: strelka.file"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json

@@ -1,30 +1,44 @@
 {
   "package": {
-    "name": "log",
+    "name": "filestream",
     "version": ""
   },
   "name": "suricata-logs",
-  "namespace": "so",
   "description": "Suricata integration",
   "policy_id": "so-grid-nodes_general",
+  "namespace": "so",
   "inputs": {
-    "logs-logfile": {
+    "filestream-filestream": {
       "enabled": true,
       "streams": {
-        "log.logs": {
+        "filestream.generic": {
           "enabled": true,
           "vars": {
             "paths": [
               "/nsm/suricata/eve*.json"
             ],
-            "data_stream.dataset": "suricata",
-            "tags": [],
+            "data_stream.dataset": "filestream.generic",
+            "pipeline": "suricata.common",
+            "parsers": "#- ndjson:\n#    target: \"\"\n#    message_key: msg\n#- multiline:\n#    type: count\n#    count_lines: 3\n",
+            "exclude_files": [
+              "\\.gz$"
+            ],
+            "include_files": [],
             "processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: suricata",
-            "custom": "pipeline: suricata.common"
+            "tags": [],
+            "recursive_glob": true,
+            "clean_inactive": -1,
+            "harvester_limit": 0,
+            "fingerprint": false,
+            "fingerprint_offset": 0,
+            "fingerprint_length": "64",
+            "file_identity_native": true,
+            "exclude_lines": [],
+            "include_lines": []
           }
         }
       }
     }
   },
   "force": true
-}
+}

salt/elasticfleet/install_agent_grid.sls

@@ -8,7 +8,9 @@
 {% endif %}
 
 {% set AGENT_STATUS = salt['service.available']('elastic-agent') %}
-{% if not AGENT_STATUS  %}
+{% set AGENT_EXISTS = salt['file.file_exists']('/opt/Elastic/Agent/elastic-agent') %}
+
+{% if not AGENT_STATUS or not AGENT_EXISTS %}
 
 pull_agent_installer:
   file.managed:
@@ -19,7 +21,7 @@ pull_agent_installer:
 
 run_installer:
   cmd.run:
-    - name: ./so-elastic-agent_linux_amd64 -token={{ GRIDNODETOKEN }}
+    - name: ./so-elastic-agent_linux_amd64 -token={{ GRIDNODETOKEN }} -force
     - cwd: /opt/so
     - retry:
         attempts: 3

salt/elasticfleet/ssl.sls

@@ -0,0 +1,186 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%   from 'ca/map.jinja' import CA %}
+
+{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
+
+{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
+# Start -- Elastic Fleet Host Cert
+etc_elasticfleet_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-server.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-server.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-server.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+efperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+chownelasticfleetkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.key
+    - mode: 640
+    - user: 947
+    - group: 939
+# End -- Elastic Fleet Host Cert
+{% endif %} # endif is for not including HeavyNodes & Receivers 
+
+
+# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
+etc_elasticfleet_agent_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-agent.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_agent_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_agent_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-agent.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-agent.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_agent_key
+
+efagentperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetagentcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+chownelasticfleetagentkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.key
+    - mode: 640
+    - user: 947
+    - group: 939
+# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
+
+{% endif %}
+
+{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %}
+elasticfleet_kafka_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-kafka.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%}
+    - prereq:
+      - x509: elasticfleet_kafka_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticfleet_kafka_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: kafka
+    - private_key: /etc/pki/elasticfleet-kafka.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticfleet_kafka_cert_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+elasticfleet_kafka_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.key
+    - mode: 640
+    - user: 947
+    - group: 939
+{% endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade

@@ -14,7 +14,7 @@ if ! is_manager_node; then
 fi
 
 # Get current list of Grid Node Agents that need to be upgraded
-RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%20:%20%22{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%22%20and%20policy_id%20:%20%22so-grid-nodes_general%22&showInactive=false&getStatusSummary=true")
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%20:%20%22{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%22%20and%20policy_id%20:%20%22so-grid-nodes_general%22&showInactive=false&getStatusSummary=true" --retry 3 --retry-delay 30 --fail 2>/dev/null)
 
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update

@@ -26,7 +26,7 @@ function update_es_urls() {
 }
 
 # Get current list of Fleet Elasticsearch URLs
-RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch')
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch' --retry 3 --retry-delay 30 --fail 2>/dev/null)
 
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update

@@ -142,7 +142,7 @@ function update_kafka_outputs() {
 
 {% if GLOBALS.pipeline == "KAFKA" %}
   # Get current list of Kafka Outputs
-  RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_kafka')
+  RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_kafka' --retry 3 --retry-delay 30 --fail 2>/dev/null)
 
   # Check to make sure that the server responded with good data - else, bail from script
   CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
@@ -168,7 +168,7 @@ function update_kafka_outputs() {
   {# If global pipeline isn't set to KAFKA then assume default of REDIS / logstash #}
 {% else %}
   # Get current list of Logstash Outputs
-  RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_logstash')
+  RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_logstash' --retry 3 --retry-delay 30 --fail 2>/dev/null)
 
   # Check to make sure that the server responded with good data - else, bail from script
   CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update

@@ -23,7 +23,7 @@ function update_fleet_urls() {
 }
 
 # Get current list of Fleet Server URLs
-RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default')
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' --retry 3 --retry-delay 30 --fail 2>/dev/null)
 
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")

salt/elasticsearch/ca.sls

@@ -26,14 +26,14 @@ catrustscript:
         GLOBALS: {{ GLOBALS }}
 {%   endif %}
 
-cacertz:
+elasticsearch_cacerts:
   file.managed:
     - name: /opt/so/conf/ca/cacerts
     - source: salt://elasticsearch/cacerts
     - user: 939
     - group: 939
 
-capemz:
+elasticsearch_capems:
   file.managed:
     - name: /opt/so/conf/ca/tls-ca-bundle.pem
     - source: salt://elasticsearch/tls-ca-bundle.pem

salt/elasticsearch/config.sls

@@ -5,11 +5,6 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - ssl
-  - elasticsearch.ca
-
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
 

salt/elasticsearch/enabled.sls

@@ -14,6 +14,9 @@
 {%   from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
 
 include:
+  - ca
+  - elasticsearch.ca
+  - elasticsearch.ssl
   - elasticsearch.config
   - elasticsearch.sostatus
 
@@ -61,11 +64,7 @@ so-elasticsearch:
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
       - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
-      {% if GLOBALS.is_manager %}
-      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
-      {% endif %}
       - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
       - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
       - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
@@ -82,22 +81,21 @@ so-elasticsearch:
         {% endfor %}
       {% endif %}
     - watch:
-      - file: cacertz
+      - file: trusttheca
+      - x509: elasticsearch_crt
+      - x509: elasticsearch_key
+      - file: elasticsearch_cacerts
       - file: esyml
     - require:
+      - file: trusttheca
+      - x509: elasticsearch_crt
+      - x509: elasticsearch_key
+      - file: elasticsearch_cacerts
       - file: esyml
       - file: eslog4jfile
       - file: nsmesdir
       - file: eslogdir
-      - file: cacertz
-      - x509: /etc/pki/elasticsearch.crt
-      - x509: /etc/pki/elasticsearch.key
       - file: elasticp12perms
-      {% if GLOBALS.is_manager %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
       - cmd: auth_users_roles_inode
       - cmd: auth_users_inode
 

salt/elasticsearch/ssl.sls

@@ -0,0 +1,66 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+# Create a cert for elasticsearch
+elasticsearch_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticsearch.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
+    - prereq:
+      - x509: /etc/pki/elasticsearch.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticsearch_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticsearch.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: registry
+    - private_key: /etc/pki/elasticsearch.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
+    - onchanges:
+      - x509: /etc/pki/elasticsearch.key
+
+elastickeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.key
+    - mode: 640
+    - group: 930
+    
+elasticp12perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.p12
+    - mode: 640
+    - group: 930
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticsearch/tools/sbin_jinja/so-catrust

@@ -14,8 +14,9 @@ set -e
 # Check to see if we have extracted the ca cert.
 if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
     docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
-    docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
-    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
+    # Make sure symbolic links are followed when copying from container
+    docker cp -L so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
+    docker cp -L so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
     docker rm so-elasticsearchca
     echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
     echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem

salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load

@@ -121,7 +121,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then
     echo "Loading Security Onion index templates..."
     shopt -s extglob
     {% if GLOBALS.role == 'so-heavynode' %}
-    pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*)"
+    pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*|*endpoint*|*elasticsearch*|*generic*|*fleet_server*|*soc*)"
     {% else %}
     pattern="*"
     {% endif %}

salt/influxdb/config.sls

@@ -9,7 +9,6 @@
 
 include:
   - salt.minion
-  - ssl
   
 # Influx DB
 influxconfdir:

salt/influxdb/enabled.sls

@@ -11,6 +11,7 @@
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
 
 include:
+  - influxdb.ssl
   - influxdb.config
   - influxdb.sostatus
 
@@ -59,6 +60,8 @@ so-influxdb:
     {% endif %}
     - watch:
       - file: influxdbconf
+      - x509: influxdb_key
+      - x509: influxdb_crt
     - require:
       - file: influxdbconf
       - x509: influxdb_key

salt/influxdb/ssl.sls

@@ -0,0 +1,55 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+influxdb_key:
+  x509.private_key_managed:
+    - name: /etc/pki/influxdb.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
+    - prereq:
+      - x509: /etc/pki/influxdb.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the talking to influxdb
+influxdb_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/influxdb.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: influxdb
+    - private_key: /etc/pki/influxdb.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+influxkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/influxdb.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/kafka/enabled.sls

@@ -68,6 +68,8 @@ so-kafka:
       - file: kafka_server_jaas_properties
       {% endif %}
       - file: kafkacertz
+      - x509: kafka_crt
+      - file: kafka_pkcs12_perms
     - require:
       - file: kafkacertz
 
@@ -95,4 +97,4 @@ include:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
+{% endif %}

salt/kafka/ssl.sls

@@ -6,22 +6,13 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states or sls in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
 {%   set kafka_password = salt['pillar.get']('kafka:config:password') %}
 
 include:
-  - ca.dirs
-    {% set global_ca_server = [] %}
-    {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %}
-    {% for host in x509dict %}
-      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
-        {% do global_ca_server.append(host) %}
-      {% endif %}
-    {% endfor %}
-    {% set ca_server = global_ca_server[0] %}
+  - ca
 
-{% if GLOBALS.pipeline == "KAFKA" %}
-
-{%   if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone'] %}
+{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone'] %}
 kafka_client_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka-client.key
@@ -39,12 +30,12 @@ kafka_client_key:
 kafka_client_crt:
   x509.certificate_managed:
     - name: /etc/pki/kafka-client.crt
-    - ca_server: {{ ca_server }}
+    - ca_server: {{ CA.server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
     - private_key: /etc/pki/kafka-client.key
     - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
+    - days_remaining: 7
     - days_valid: 820
     - backup: True
     - timeout: 30
@@ -67,9 +58,9 @@ kafka_client_crt_perms:
     - mode: 640
     - user: 960
     - group: 939
-{%   endif %}
+{% endif %}
 
-{%   if GLOBALS.role in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %}
+{% if GLOBALS.role in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %}
 kafka_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka.key
@@ -87,12 +78,12 @@ kafka_key:
 kafka_crt:
   x509.certificate_managed:
     - name: /etc/pki/kafka.crt
-    - ca_server: {{ ca_server }}
+    - ca_server: {{ CA.server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
     - private_key: /etc/pki/kafka.key
     - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
+    - days_remaining: 7
     - days_valid: 820
     - backup: True
     - timeout: 30
@@ -103,6 +94,7 @@ kafka_crt:
     - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:{{ kafka_password }}"
     - onchanges:
       - x509: /etc/pki/kafka.key
+
 kafka_key_perms:
   file.managed:
     - replace: False
@@ -126,11 +118,11 @@ kafka_pkcs12_perms:
     - mode: 640
     - user: 960
     - group: 939
-{%   endif %}
+{% endif %}
 
 # Standalone needs kafka-logstash for automated testing. Searchnode/manager search need it for logstash to consume from Kafka.
 # Manager will have cert, but be unused until a pipeline is created and logstash enabled.
-{%   if GLOBALS.role in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %}
+{% if GLOBALS.role in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %}
 kafka_logstash_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka-logstash.key
@@ -148,12 +140,12 @@ kafka_logstash_key:
 kafka_logstash_crt:
   x509.certificate_managed:
     - name: /etc/pki/kafka-logstash.crt
-    - ca_server: {{ ca_server }}
+    - ca_server: {{ CA.server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
     - private_key: /etc/pki/kafka-logstash.key
     - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
+    - days_remaining: 7
     - days_valid: 820
     - backup: True
     - timeout: 30
@@ -189,7 +181,6 @@ kafka_logstash_pkcs12_perms:
     - user: 931
     - group: 939
 
-{%   endif %}
 {% endif %}
 
 {% else %}
@@ -198,4 +189,4 @@ kafka_logstash_pkcs12_perms:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
+{% endif %}

salt/kibana/defaults.yaml

@@ -25,11 +25,10 @@ kibana:
       discardCorruptObjects: "8.18.8"
     telemetry:
       enabled: False
-    security:
-      showInsecureClusterWarning: False
     xpack:
       security:
         secureCookies: true
+        showInsecureClusterWarning: false
       reporting:
         kibanaServer:
           hostname: localhost

salt/logstash/config.sls

@@ -10,11 +10,10 @@
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
 
+{%   if GLOBALS.role not in ['so-receiver','so-fleet'] %}
 include:
-  - ssl
-  {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
   - elasticsearch
-  {% endif %}
+{%   endif %}
 
 # Create the logstash group
 logstashgroup:

salt/logstash/enabled.sls

@@ -12,6 +12,7 @@
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
 
 include:
+  - ca
 {%   if GLOBALS.role not in ['so-receiver','so-fleet'] %}
   - elasticsearch.ca
 {%   endif %}
@@ -20,9 +21,9 @@ include:
   - kafka.ca
   - kafka.ssl
 {%   endif %}
+  - logstash.ssl
   - logstash.config
   - logstash.sostatus
-  - ssl
 
 so-logstash:
   docker_container.running:
@@ -65,22 +66,18 @@ so-logstash:
       - /opt/so/log/logstash:/var/log/logstash:rw
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
       - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
-      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
-      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
-      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
-      {% endif %}
+      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
       {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
       - /etc/pki/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
       - /etc/pki/elasticfleet-logstash.key:/usr/share/logstash/elasticfleet-logstash.key:ro
       - /etc/pki/elasticfleet-lumberjack.crt:/usr/share/logstash/elasticfleet-lumberjack.crt:ro
       - /etc/pki/elasticfleet-lumberjack.key:/usr/share/logstash/elasticfleet-lumberjack.key:ro
+          {% if GLOBALS.role != 'so-fleet' %}
+      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
+      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
+          {% endif %}
       {% endif %}
-      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
-      {% else %}
-      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
-      {% endif %}
-      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %}
+      {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
       - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
       {% endif %}
@@ -100,11 +97,22 @@ so-logstash:
         {% endfor %}
       {% endif %}
     - watch:
-      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-receiver'] %}
-      - x509: etc_elasticfleet_logstash_key
-      - x509: etc_elasticfleet_logstash_crt
-      {% endif %}
       - file: lsetcsync
+      - file: trusttheca
+      {% if GLOBALS.is_manager %}
+      - file: elasticsearch_cacerts
+      - file: elasticsearch_capems
+      {% endif %}
+      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
+      - x509: etc_elasticfleet_logstash_crt
+      - x509: etc_elasticfleet_logstash_key
+      - x509: etc_elasticfleetlumberjack_crt
+      - x509: etc_elasticfleetlumberjack_key
+        {% if GLOBALS.role != 'so-fleet' %}
+      - x509: etc_filebeat_crt
+      - file: logstash_filebeat_p8
+        {% endif %}
+      {% endif %}
       {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
       - file: ls_pipeline_{{assigned_pipeline}}
         {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
@@ -115,17 +123,20 @@ so-logstash:
       - file: kafkacertz
       {% endif %}
     - require:
-      {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
+      - file: trusttheca
+      {% if GLOBALS.is_manager %}
+      - file: elasticsearch_cacerts
+      - file: elasticsearch_capems
+      {% endif %}
+      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
+      - x509: etc_elasticfleet_logstash_crt
+      - x509: etc_elasticfleet_logstash_key
+      - x509: etc_elasticfleetlumberjack_crt
+      - x509: etc_elasticfleetlumberjack_key
+        {% if GLOBALS.role != 'so-fleet' %}
       - x509: etc_filebeat_crt
-      {% endif %}
-      {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
-      {% if grains.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - file: cacertz
-      - file: capemz
+      - file: logstash_filebeat_p8
+        {% endif %}
       {% endif %}
       {% if GLOBALS.pipeline == 'KAFKA' and GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-searchnode'] %}
       - file: kafkacertz

salt/logstash/ssl.sls

@@ -0,0 +1,287 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states or sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%   from 'ca/map.jinja' import CA %}
+
+{%   if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
+
+{%     if grains['role'] not in [ 'so-heavynode'] %}
+# Start -- Elastic Fleet Logstash Input Cert
+etc_elasticfleet_logstash_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-logstash.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_logstash_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_logstash_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-logstash.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-logstash.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_logstash_key
+
+eflogstashperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetlogstashcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.crt
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownelasticfleetlogstashkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.key
+    - mode: 640
+    - user: 931
+    - group: 939
+# End -- Elastic Fleet Logstash Input Cert
+{%     endif %} # endif is for not including HeavyNodes 
+
+# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output
+# Cert needed on: Managers, Receivers
+etc_elasticfleetlumberjack_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - bits: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
+    - prereq:
+      - x509: etc_elasticfleetlumberjack_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleetlumberjack_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-lumberjack.key
+    - CN: {{ GLOBALS.node_ip }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleetlumberjack_key
+
+eflogstashlumberjackperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - mode: 640
+    - group: 939
+
+chownilogstashelasticfleetlumberjackp8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownilogstashelasticfleetlogstashlumberjackcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownilogstashelasticfleetlogstashlumberjackkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - mode: 640
+    - user: 931
+    - group: 939
+# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output
+{%   endif %}
+
+{%   if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %}
+etc_filebeat_key:
+  x509.private_key_managed:
+    - name: /etc/pki/filebeat.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: etc_filebeat_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+etc_filebeat_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/filebeat.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: filebeat
+    - private_key: /etc/pki/filebeat.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_filebeat_key
+
+fbperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
+logstash_filebeat_p8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+{%     if grains.role not in ['so-heavynode', 'so-receiver'] %}
+# Create Symlinks to the keys so I can distribute it to all the things
+filebeatdir:
+  file.directory:
+    - name: /opt/so/saltstack/local/salt/filebeat/files
+    - makedirs: True
+
+fbkeylink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
+    - target: /etc/pki/filebeat.p8
+    - user: socore
+    - group: socore
+
+fbcrtlink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
+    - target: /etc/pki/filebeat.crt
+    - user: socore
+    - group: socore
+
+{%     endif %}
+{%   endif %}
+
+{%   if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %}
+   
+fbcertdir:
+  file.directory:
+    - name: /opt/so/conf/filebeat/etc/pki
+    - makedirs: True
+
+conf_filebeat_key:
+  x509.private_key_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: conf_filebeat_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+conf_filebeat_crt:
+  x509.certificate_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: filebeat
+    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Convert the key to pkcs#8 so logstash will work correctly.
+filebeatpkcs:
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
+    - onchanges:
+      - x509: conf_filebeat_key
+
+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
+chownfilebeatp8:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+    
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/manager/elasticsearch.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 elastic_curl_config_distributed:
   file.managed:
     - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config

salt/manager/kibana.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 kibana_curl_config_distributed:
   file.managed:
     - name: /opt/so/conf/kibana/curl.config
@@ -5,4 +10,4 @@ kibana_curl_config_distributed:
     - template: jinja
     - mode: 600
     - show_changes: False
-    - makedirs: True
+    - makedirs: True

salt/manager/sync_es_users.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 include:
   - elasticsearch.auth
   - kratos

salt/manager/tools/sbin/so-minion

@@ -716,6 +716,18 @@ function checkMine() {
 	}
 }
 
+function create_ca_pillar() {
+	local capillar=/opt/so/saltstack/local/pillar/ca/init.sls
+    printf '%s\n'\
+    "ca:"\
+    "  server: $MINION_ID"\
+	"  " > $capillar
+    if [ $? -ne 0 ]; then
+        log "ERROR" "Failed to add $MINION_ID to $capillar"
+        return 1
+    fi
+}
+
 function createEVAL() {
 	log "INFO" "Creating EVAL configuration for minion $MINION_ID"
 	is_pcaplimit=true
@@ -1013,6 +1025,7 @@ function setupMinionFiles() {
 	managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH")
 	if echo "${managers[@]}" | grep -qw "$NODETYPE"; then
 		add_sensoroni_with_analyze_to_minion || return 1
+		create_ca_pillar || return 1
 	else
 		add_sensoroni_to_minion || return 1
 	fi

salt/manager/tools/sbin/soup

@@ -325,6 +325,19 @@ clone_to_tmp() {
   fi
 }
 
+# there is a function like this in so-minion, but we cannot source it since args required for so-minion
+create_ca_pillar() {
+  local ca_pillar_dir="/opt/so/saltstack/local/pillar/ca"
+  local ca_pillar_file="${ca_pillar_dir}/init.sls"
+
+  echo "Updating CA pillar configuration"
+  mkdir -p "$ca_pillar_dir"
+  echo "ca: {}" > "$ca_pillar_file"
+
+  so-yaml.py add "$ca_pillar_file" ca.server "$MINIONID"
+  chown -R socore:socore "$ca_pillar_dir"
+}
+
 disable_logstash_heavynodes() {
   c=0
   printf "\nChecking for heavynodes and disabling Logstash if they exist\n"
@@ -368,7 +381,6 @@ masterlock() {
   echo "base:" > $TOPFILE
   echo "  $MINIONID:" >> $TOPFILE
   echo "    - ca" >> $TOPFILE
-  echo "    - ssl" >> $TOPFILE
   echo "    - elasticsearch" >> $TOPFILE
 }
 
@@ -951,6 +963,7 @@ up_to_2.4.201() {
 up_to_2.4.210() {
   # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
+  create_ca_pillar
 
   INSTALLEDVERSION=2.4.210
 }
@@ -1715,11 +1728,20 @@ verify_es_version_compatibility() {
     return 0
   else
     compatible_versions=${es_upgrade_map[$es_version]}
-    next_step_so_version=${es_to_so_version[${compatible_versions##* }]}
-    echo -e "\n##############################################################################################################################\n"
-    echo -e "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version $next_step_so_version before updating to $(cat $UPDATE_DIR/VERSION).\n"
+    if [[ -z "$compatible_versions" ]]; then
+      # If current ES version is not explicitly defined in the upgrade map, we know they have an intermediate upgrade to do.
+        # We default to the lowest ES version defined in es_to_so_version as $first_es_required_version
+      local first_es_required_version=$(printf '%s\n' "${!es_to_so_version[@]}" | sort -V | head -n1)
+      next_step_so_version=${es_to_so_version[$first_es_required_version]}
+      required_es_upgrade_version="$first_es_required_version"
+    else
+      next_step_so_version=${es_to_so_version[${compatible_versions##* }]}
+      required_es_upgrade_version="${compatible_versions##* }"
+    fi
+      echo -e "\n##############################################################################################################################\n"
+      echo -e "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version $next_step_so_version before updating to $(cat $UPDATE_DIR/VERSION).\n"
 
-    echo "${compatible_versions##* }" > "$es_required_version_statefile"
+      echo "$required_es_upgrade_version" > "$es_required_version_statefile"
 
     # We expect to upgrade to the latest compatiable minor version of ES
     create_intermediate_upgrade_verification_script $es_verification_script
@@ -1742,8 +1764,8 @@ verify_es_version_compatibility() {
       echo -e "\n##############################################################################################################################\n"
       exec bash -c "BRANCH=$next_step_so_version soup -y && BRANCH=$next_step_so_version soup -y && \
        echo -e \"\n##############################################################################################################################\n\" && \
-       echo -e \"Verifying Elasticsearch was successfully upgraded to ${compatible_versions##* } across the grid. This part can take a while as Searchnodes/Heavynodes sync up with the Manager! \n\nOnce verification completes the next soup will begin automatically. If verification takes longer than 1 hour it will stop waiting and your grid will remain at $next_step_so_version. Allowing for all Searchnodes/Heavynodes to upgrade Elasticsearch to the required version on their own time.\n\" \
-       && timeout --foreground 4000 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
+       echo -e \"Verifying Elasticsearch was successfully upgraded to $required_es_upgrade_version across the grid. This part can take a while as Searchnodes/Heavynodes sync up with the Manager! \n\nOnce verification completes the next soup will begin automatically. If verification takes longer than 1 hour it will stop waiting and your grid will remain at $next_step_so_version. Allowing for all Searchnodes/Heavynodes to upgrade Elasticsearch to the required version on their own time.\n\" \
+       && timeout --foreground 4000 bash /tmp/so_intermediate_upgrade_verification.sh $required_es_upgrade_version $es_required_version_statefile && \
        echo -e \"\n##############################################################################################################################\n\" \
        && BRANCH=$originally_requested_so_version soup -y && BRANCH=$originally_requested_so_version soup -y"
     fi
@@ -1909,7 +1931,7 @@ apply_hotfix() {
       mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
       mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
       systemctl_func "start" "salt-minion"
-      (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+      (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
     fi
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
@@ -2108,7 +2130,7 @@ main() {
     echo ""
     echo "Running a highstate. This could take several minutes."
     set +e
-    (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+    (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
     highstate
     set -e
 
@@ -2121,7 +2143,7 @@ main() {
     check_saltmaster_status
 
     echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
-    (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+    (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
 
     # Stop long-running scripts to allow potentially updated scripts to load on the next execution.
     killall salt-relay.sh

salt/nginx/config.sls

@@ -6,9 +6,6 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 
-include:
-  - ssl
-
 # Drop the correct nginx config based on role
 nginxconfdir:
   file.directory:

salt/nginx/enabled.sls

@@ -8,81 +8,14 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
-{%   set ca_server = GLOBALS.minion_id %}
 
 include:
+  - nginx.ssl
   - nginx.config
   - nginx.sostatus
 
-
-{%   if grains.role not in ['so-fleet'] %}
-
-{#   if the user has selected to replace the crt and key in the ui #}
-{%   if NGINXMERGED.ssl.replace_cert %}
-
-managerssl_key:
-  file.managed:
-    - name: /etc/pki/managerssl.key
-    - source: salt://nginx/ssl/ssl.key
-    - mode: 640
-    - group: 939
-    - watch_in:
-      - docker_container: so-nginx
-
-managerssl_crt:
-  file.managed:
-    - name: /etc/pki/managerssl.crt
-    - source: salt://nginx/ssl/ssl.crt
-    - mode: 644
-    - watch_in:
-      - docker_container: so-nginx
-
-{%   else %}
-
-managerssl_key:
-  x509.private_key_managed:
-    - name: /etc/pki/managerssl.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
-    - prereq:
-      - x509: /etc/pki/managerssl.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-    - watch_in:
-      - docker_container: so-nginx
-
-# Create a cert for the reverse proxy
-managerssl_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/managerssl.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: managerssl
-    - private_key: /etc/pki/managerssl.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-    - watch_in:
-      - docker_container: so-nginx
-
-{%   endif %}
-
-msslkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/managerssl.key
-    - mode: 640
-    - group: 939
-
+{%   if GLOBALS.role != 'so-fleet' %}
+{%     set container_config = 'so-nginx' %}
 make-rule-dir-nginx:
   file.directory:
     - name: /nsm/rules
@@ -92,15 +25,11 @@ make-rule-dir-nginx:
       - user
       - group
     - show_changes: False
-      
-{%   endif %}
 
-{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
-{% if GLOBALS.role == 'so-fleet' %}
-{%   set container_config = 'so-nginx-fleet-node' %}
-{% else %}
-{%   set container_config = 'so-nginx' %}
-{% endif %}
+{%   else %}
+{#     if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
+{%     set container_config = 'so-nginx-fleet-node' %}
+{%   endif %}
 
 so-nginx:
   docker_container.running:
@@ -154,18 +83,27 @@ so-nginx:
     - watch:
       - file: nginxconf
       - file: nginxconfdir
-    - require:
-      - file: nginxconf
-{% if GLOBALS.is_manager %}
-{%     if NGINXMERGED.ssl.replace_cert %}
+      {% if GLOBALS.is_manager %}
+      {%   if NGINXMERGED.ssl.replace_cert %}
       - file: managerssl_key
       - file: managerssl_crt
-{%     else %}
+      {%   else %}
       - x509: managerssl_key
       - x509: managerssl_crt
-{%     endif%}
+      {%   endif%}
+      {% endif %}
+    - require:
+      - file: nginxconf
+      {% if GLOBALS.is_manager %}
+      {%   if NGINXMERGED.ssl.replace_cert %}
+      - file: managerssl_key
+      - file: managerssl_crt
+      {%   else %}
+      - x509: managerssl_key
+      - x509: managerssl_crt
+      {%   endif%}
       - file: navigatorconfig
-{%   endif %}
+      {% endif %}
 
 delete_so-nginx_so-status.disabled:
   file.uncomment:

salt/nginx/ssl.sls

@@ -0,0 +1,87 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'nginx/map.jinja' import NGINXMERGED %}
+{%   from 'ca/map.jinja' import CA %}
+
+{%   if GLOBALS.role != 'so-fleet' %}
+{#     if the user has selected to replace the crt and key in the ui #}
+{%     if NGINXMERGED.ssl.replace_cert %}
+
+managerssl_key:
+  file.managed:
+    - name: /etc/pki/managerssl.key
+    - source: salt://nginx/ssl/ssl.key
+    - mode: 640
+    - group: 939
+    - watch_in:
+      - docker_container: so-nginx
+
+managerssl_crt:
+  file.managed:
+    - name: /etc/pki/managerssl.crt
+    - source: salt://nginx/ssl/ssl.crt
+    - mode: 644
+    - watch_in:
+      - docker_container: so-nginx
+
+{%   else %}
+
+managerssl_key:
+  x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+# Create a cert for the reverse proxy
+managerssl_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: managerssl
+    - private_key: /etc/pki/managerssl.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+{%     endif %}
+
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/managerssl.key
+    - mode: 640
+    - group: 939
+
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/ca.sls

@@ -0,0 +1,22 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
+
+stenoca:
+  file.directory:
+    - name: /opt/so/conf/steno/certs
+    - user: 941
+    - group: 939
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/config.sls

@@ -57,12 +57,6 @@ stenoconf:
         PCAPMERGED: {{ PCAPMERGED }}
         STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
 
-stenoca:
-  file.directory:
-    - name: /opt/so/conf/steno/certs
-    - user: 941
-    - group: 939
-
 pcaptmpdir:
   file.directory:
     - name: /nsm/pcaptmp

salt/pcap/enabled.sls

@@ -10,6 +10,7 @@
 
 
 include:
+  - pcap.ca
   - pcap.config
   - pcap.sostatus
 

salt/redis/config.sls

@@ -7,9 +7,6 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'redis/map.jinja' import REDISMERGED %}
 
-include:
-  - ssl
-
 # Redis Setup
 redisconfdir:
   file.directory:

salt/redis/enabled.sls

@@ -9,6 +9,8 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
+  - ca
+  - redis.ssl
   - redis.config
   - redis.sostatus
 
@@ -31,11 +33,7 @@ so-redis:
       - /nsm/redis/data:/data:rw
       - /etc/pki/redis.crt:/certs/redis.crt:ro
       - /etc/pki/redis.key:/certs/redis.key:ro
-      {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - /etc/pki/ca.crt:/certs/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% endif %}
       {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
       - {{ BIND }}
@@ -55,16 +53,14 @@ so-redis:
     {% endif %}
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
     - watch:
-      - file: /opt/so/conf/redis/etc
-    - require:
-      - file: redisconf
+      - file: trusttheca
+      - x509: redis_crt
+      - x509: redis_key
+      - file: /opt/so/conf/redis/etc
+    - require:
+      - file: trusttheca
       - x509: redis_crt
       - x509: redis_key
-      {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
 
 delete_so-redis_so-status.disabled:
   file.uncomment:

salt/redis/ssl.sls

@@ -0,0 +1,54 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+redis_key:
+  x509.private_key_managed:
+    - name: /etc/pki/redis.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
+    - prereq:
+      - x509: /etc/pki/redis.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+redis_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/redis.crt
+    - ca_server: {{ CA.server }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - signing_policy: registry
+    - private_key: /etc/pki/redis.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+rediskeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/redis.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/registry/config.sls

@@ -6,9 +6,6 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 
-include:
-  - ssl
-
 # Create the config directory for the docker registry
 dockerregistryconfdir:
   file.directory:

salt/registry/enabled.sls

@@ -9,6 +9,7 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 
 include:
+  - registry.ssl
   - registry.config
   - registry.sostatus
 
@@ -53,6 +54,9 @@ so-dockerregistry:
     - retry:
         attempts: 5
         interval: 30
+    - watch:
+      - x509: registry_crt
+      - x509: registry_key
     - require:
       - file: dockerregistryconf
       - x509: registry_crt

salt/registry/ssl.sls

@@ -0,0 +1,77 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+include:
+  - ca
+
+# Delete directory if it exists at the key path
+registry_key_cleanup:
+  file.absent:
+    - name: /etc/pki/registry.key
+    - onlyif:
+      - test -d /etc/pki/registry.key
+
+registry_key:
+  x509.private_key_managed:
+    - name: /etc/pki/registry.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    - require:
+      - file: registry_key_cleanup
+    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
+    - prereq:
+      - x509: /etc/pki/registry.crt
+    {%- endif %}
+    - retry:
+        attempts: 15
+        interval: 10
+
+# Delete directory if it exists at the crt path
+registry_crt_cleanup:
+  file.absent:
+    - name: /etc/pki/registry.crt
+    - onlyif:
+      - test -d /etc/pki/registry.crt
+
+# Create a cert for the docker registry
+registry_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/registry.crt
+    - ca_server: {{ CA.server }}
+    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
+    - signing_policy: registry
+    - private_key: /etc/pki/registry.key
+    - CN: {{ GLOBALS.manager }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - require:
+      - file: registry_crt_cleanup
+    - timeout: 30
+    - retry:
+        attempts: 15
+        interval: 10
+
+
+regkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/registry.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/salt/engines/master/checkmine.py

@@ -46,33 +46,6 @@ def start(interval=60):
                 mine_update(minion)
                 continue
 
-            # if a manager check that the ca in in the mine and it is correct
-            if minion.split('_')[-1] in ['manager', 'managersearch', 'eval', 'standalone', 'import']:
-                x509 = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='x509.get_pem_entries')
-                try:
-                    ca_crt = x509[minion]['/etc/pki/ca.crt']
-                    log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt))
-                    # since the cert is defined, make sure it is valid
-                    import salt.modules.x509_v2 as x509_v2
-                    if not x509_v2.verify_private_key('/etc/pki/ca.key', '/etc/pki/ca.crt'):
-                        log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion))
-                        log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt))
-                        mine_delete(minion, 'x509.get_pem_entries')
-                        mine_update(minion)
-                        continue
-                    else:
-                        log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion))
-                except IndexError:
-                    log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion))
-                    mine_delete(minion, 'x509.get_pem_entries')
-                    mine_update(minion)
-                    continue
-                except KeyError:
-                    log.error('checkmine engine: found minion %s is not in the mine' % (minion))
-                    mine_flush(minion)
-                    mine_update(minion)
-                    continue
-
             # Update the mine if the ip in the mine doesn't match returned from manage.alived
             network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs')
             try:

salt/salt/mine_functions.sls

@@ -18,10 +18,6 @@ mine_functions:
         mine_functions:
           network.ip_addrs:
             - interface: {{ interface }}
-        {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
-          x509.get_pem_entries:
-            - glob_path: '/etc/pki/ca.crt'
-        {% endif %}
 
 mine_update_mine_functions:
   module.run:

salt/salt/minion/init.sls

@@ -17,8 +17,8 @@ include:
   - repo.client
   - salt.mine_functions
   - salt.minion.service_file
-{% if GLOBALS.role in GLOBALS.manager_roles %}
-  - ca
+{% if GLOBALS.is_manager %}
+  - ca.signing_policy
 {% endif %}
 
 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
@@ -111,7 +111,7 @@ salt_minion_service:
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
       - file: set_log_levels
 {% endif %}
-{% if GLOBALS.role in GLOBALS.manager_roles %}
-      - file: /etc/salt/minion.d/signing_policies.conf
+{% if GLOBALS.is_manager %}
+      - file: signing_policy
 {% endif %}
     - order: last

salt/sensoroni/enabled.sls

@@ -8,6 +8,9 @@
 
 
 include:
+{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
+  - pcap.ca
+{% endif %}
   - sensoroni.config
   - sensoroni.sostatus
 
@@ -16,7 +19,9 @@ so-sensoroni:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
     - network_mode: host
     - binds:
+      {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      {% endif %}
       - /nsm/pcap:/nsm/pcap:rw
       - /nsm/import:/nsm/import:rw
       - /nsm/pcapout:/nsm/pcapout:rw

salt/soc/enabled.sls

@@ -11,6 +11,7 @@
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}
 
 include:
+  - ca
   - soc.config
   - soc.sostatus
 
@@ -55,7 +56,7 @@ so-soc:
       - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw
       - /nsm/backup/detections-migration:/nsm/backup/detections-migration:ro
       - /opt/so/state:/opt/so/state:rw
-      - /etc/pki/ca.crt:/opt/sensoroni/html/so-ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/opt/sensoroni/html/so-ca.crt:ro
     - extra_hosts:
     {% for node in DOCKER_EXTRA_HOSTS %}
     {%   for hostname, ip in node.items() %}
@@ -78,8 +79,10 @@ so-soc:
     {%   endfor %}
     {% endif %}
     - watch:
+      - file: trusttheca
       - file: /opt/so/conf/soc/*
     - require:
+      - file: trusttheca
       - file: socdatadir
       - file: soclogdir
       - file: socconfig

salt/ssl/init.sls

@@ -1,720 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
-
-{% set global_ca_text = [] %}
-{% set global_ca_server = [] %}
-{% if grains.role in ['so-heavynode'] %}
-  {% set COMMONNAME = GLOBALS.hostname %}
-{% else %}
-  {% set COMMONNAME = GLOBALS.manager %}
-{% endif %}
-
-{% if GLOBALS.is_manager %}
-include:
-  - ca
-    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
-    {% set ca_server = grains.id %}
-{% else %}
-include:
-  - ca.dirs
-    {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %}
-    {% for host in x509dict %}
-      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
-        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
-        {% do global_ca_server.append(host) %}
-      {% endif %}
-    {% endfor %}
-    {% set trusttheca_text = global_ca_text[0] %}
-    {% set ca_server = global_ca_server[0] %}
-{% endif %}
-
-cacertdir:
-  file.directory:
-    - name: /etc/pki/tls/certs
-    - makedirs: True
-
-# Trust the CA
-trusttheca:
-  x509.pem_managed:
-    - name: /etc/pki/tls/certs/intca.crt
-    - text:  {{ trusttheca_text }}
-
-{% if GLOBALS.os_family == 'Debian' %}
-symlinkca:
-  file.symlink:
-    - target: /etc/pki/tls/certs/intca.crt
-    - name: /etc/ssl/certs/intca.crt
-{% endif %}
-
-# Install packages needed for the sensor
-m2cryptopkgs:
-  pkg.installed:
-    - skip_suggestions: False
-    - pkgs:
-      - python3-m2crypto
-
-influxdb_key:
-  x509.private_key_managed:
-    - name: /etc/pki/influxdb.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
-    - prereq:
-      - x509: /etc/pki/influxdb.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the talking to influxdb
-influxdb_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/influxdb.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: influxdb
-    - private_key: /etc/pki/influxdb.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-influxkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/influxdb.key
-    - mode: 640
-    - group: 939
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
-# Create a cert for Redis encryption
-redis_key:
-  x509.private_key_managed:
-    - name: /etc/pki/redis.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
-    - prereq:
-      - x509: /etc/pki/redis.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-redis_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/redis.crt
-    - ca_server: {{ ca_server }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: registry
-    - private_key: /etc/pki/redis.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-rediskeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/redis.key
-    - mode: 640
-    - group: 939
-{% endif %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
-
-{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
-# Start -- Elastic Fleet Host Cert
-etc_elasticfleet_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-server.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-server.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-server.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-efperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-chownelasticfleetkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.key
-    - mode: 640
-    - user: 947
-    - group: 939
-# End -- Elastic Fleet Host Cert
-{% endif %} # endif is for not including HeavyNodes & Receivers 
-
-{% if grains['role'] not in [ 'so-heavynode'] %}
-# Start -- Elastic Fleet Logstash Input Cert
-etc_elasticfleet_logstash_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-logstash.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_logstash_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_logstash_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-logstash.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-logstash.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleet_logstash_key
-
-eflogstashperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetlogstashcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.crt
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownelasticfleetlogstashkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.key
-    - mode: 640
-    - user: 931
-    - group: 939
-# End -- Elastic Fleet Logstash Input Cert
-{% endif %} # endif is for not including HeavyNodes 
-
-# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output
-# Cert needed on: Managers, Receivers
-etc_elasticfleetlumberjack_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - bits: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
-    - prereq:
-      - x509: etc_elasticfleetlumberjack_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleetlumberjack_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-lumberjack.key
-    - CN: {{ GLOBALS.node_ip }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleetlumberjack_key
-
-eflogstashlumberjackperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - mode: 640
-    - group: 939
-
-chownilogstashelasticfleetlumberjackp8:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownilogstashelasticfleetlogstashlumberjackcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownilogstashelasticfleetlogstashlumberjackkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - mode: 640
-    - user: 931
-    - group: 939
-
-# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output
-
-# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
-etc_elasticfleet_agent_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-agent.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_agent_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_agent_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-agent.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-agent.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleet_agent_key
-
-efagentperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetagentcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-chownelasticfleetagentkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.key
-    - mode: 640
-    - user: 947
-    - group: 939
-# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
-
-{% endif %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %}
-etc_filebeat_key:
-  x509.private_key_managed:
-    - name: /etc/pki/filebeat.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
-    - prereq:
-      - x509: etc_filebeat_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Request a cert and drop it where it needs to go to be distributed
-etc_filebeat_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/filebeat.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: filebeat
-    - private_key: /etc/pki/filebeat.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_filebeat_key
-
-fbperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/filebeat.key
-    - mode: 640
-    - group: 939
-
-chownilogstashfilebeatp8:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/filebeat.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-
-  {% if grains.role not in ['so-heavynode', 'so-receiver'] %}
-# Create Symlinks to the keys so I can distribute it to all the things
-filebeatdir:
-  file.directory:
-    - name: /opt/so/saltstack/local/salt/filebeat/files
-    - makedirs: True
-
-fbkeylink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
-    - target: /etc/pki/filebeat.p8
-    - user: socore
-    - group: socore
-
-fbcrtlink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
-    - target: /etc/pki/filebeat.crt
-    - user: socore
-    - group: socore
-
-registry_key:
-  x509.private_key_managed:
-    - name: /etc/pki/registry.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
-    - prereq:
-      - x509: /etc/pki/registry.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the docker registry
-registry_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/registry.crt
-    - ca_server: {{ ca_server }}
-    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
-    - signing_policy: registry
-    - private_key: /etc/pki/registry.key
-    - CN: {{ GLOBALS.manager }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-regkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/registry.key
-    - mode: 640
-    - group: 939
-
-  {% endif %}
-  {% if grains.role not in ['so-receiver'] %}
-# Create a cert for elasticsearch
-/etc/pki/elasticsearch.key:
-  x509.private_key_managed:
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
-    - prereq:
-      - x509: /etc/pki/elasticsearch.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-/etc/pki/elasticsearch.crt:
-  x509.certificate_managed:
-    - ca_server: {{ ca_server }}
-    - signing_policy: registry
-    - private_key: /etc/pki/elasticsearch.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
-    - onchanges:
-      - x509: /etc/pki/elasticsearch.key
-
-elastickeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.key
-    - mode: 640
-    - group: 930
-    
-elasticp12perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.p12
-    - mode: 640
-    - group: 930
-
-  {% endif %}
-
-
-{% endif %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %}
-   
-fbcertdir:
-  file.directory:
-    - name: /opt/so/conf/filebeat/etc/pki
-    - makedirs: True
-
-conf_filebeat_key:
-  x509.private_key_managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
-    - prereq:
-      - x509: conf_filebeat_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Request a cert and drop it where it needs to go to be distributed
-conf_filebeat_crt:
-  x509.certificate_managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: filebeat
-    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Convert the key to pkcs#8 so logstash will work correctly.
-filebeatpkcs:
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
-    - onchanges:
-      - x509: conf_filebeat_key
-
-filebeatkeyperms:
-  file.managed:
-    - replace: False
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - mode: 640
-    - group: 939
-
-chownfilebeatp8:
-  file.managed:
-    - replace: False
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-    
-{% endif %}
-
-{% if grains['role'] == 'so-searchnode' %}
-# Create a cert for elasticsearch
-/etc/pki/elasticsearch.key:
-  x509.private_key_managed:
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
-    - prereq:
-      - x509: /etc/pki/elasticsearch.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-/etc/pki/elasticsearch.crt:
-  x509.certificate_managed:
-    - ca_server: {{ ca_server }}
-    - signing_policy: registry
-    - private_key: /etc/pki/elasticsearch.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
-    - onchanges:
-      - x509: /etc/pki/elasticsearch.key
-
-elasticp12perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.p12
-    - mode: 640
-    - group: 930
-    
-elastickeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.key
-    - mode: 640
-    - group: 930
-{%- endif %}
-
-{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %}
-elasticfleet_kafka_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-kafka.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%}
-    - prereq:
-      - x509: elasticfleet_kafka_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticfleet_kafka_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: kafka
-    - private_key: /etc/pki/elasticfleet-kafka.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticfleet_kafka_cert_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-elasticfleet_kafka_key_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.key
-    - mode: 640
-    - user: 947
-    - group: 939
-{% endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/ssl/remove.sls

@@ -1,10 +1,7 @@
-trusttheca:
-  file.absent:
-    - name: /etc/pki/tls/certs/intca.crt
-
-symlinkca:
-  file.absent:
-    - name: /etc/ssl/certs/intca.crt
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
 
 influxdb_key:
   file.absent:
@@ -14,6 +11,14 @@ influxdb_crt:
   file.absent:
     - name: /etc/pki/influxdb.crt
 
+telegraf_key:
+  file.absent:
+    - name: /etc/pki/telegraf.key
+
+telegraf_crt:
+  file.absent:
+    - name: /etc/pki/telegraf.crt
+
 redis_key:
   file.absent:
     - name: /etc/pki/redis.key
@@ -30,6 +35,7 @@ etc_filebeat_crt:
   file.absent:
     - name: /etc/pki/filebeat.crt
 
+# manager has symlink to /etc/pki/filebeat.crt and /etc/pki/filebeat.p8
 filebeatdir:
   file.absent:
     - name: /opt/so/saltstack/local/salt/filebeat/files
@@ -42,11 +48,13 @@ registry_crt:
   file.absent:
     - name: /etc/pki/registry.crt
 
-/etc/pki/elasticsearch.key:
-  file.absent: []
+elasticsearch_key:
+  file.absent:
+    - name: /etc/pki/elasticsearch.key
 
-/etc/pki/elasticsearch.crt:
-  file.absent: []
+elasticsearch_crt:
+  file.absent:
+    - name: /etc/pki/elasticsearch.crt
 
 remove_elasticsearch.p12:
   file.absent:
@@ -75,6 +83,7 @@ fbcertdir:
 kafka_crt:
   file.absent:
     - name: /etc/pki/kafka.crt
+
 kafka_key:
   file.absent:
     - name: /etc/pki/kafka.key
@@ -82,9 +91,67 @@ kafka_key:
 kafka_logstash_crt:
   file.absent:
     - name: /etc/pki/kafka-logstash.crt
+
 kafka_logstash_key:
   file.absent:
     - name: /etc/pki/kafka-logstash.key
+
 kafka_logstash_keystore:
   file.absent:
     - name: /etc/pki/kafka-logstash.p12
+
+elasticfleet_agent_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-agent.crt
+
+elasticfleet_agent_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-agent.key
+
+elasticfleet_agent_p8:
+  file.absent:
+    - name: /etc/pki/elasticfleet-agent.p8
+
+elasticfleet_kafka_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-kafka.crt
+
+elasticfleet_kafka_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-kafka.key
+
+elasticfleet_logstash_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-logstash.crt
+
+elasticfleet_logstash_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-logstash.key
+
+elasticfleet_logstash_p8:
+  file.absent:
+    - name: /etc/pki/elasticfleet-logstash.p8
+
+elasticfleet_lumberjack_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+
+elasticfleet_lumberjack_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-lumberjack.key
+
+elasticfleet_lumberjack_p8:
+  file.absent:
+    - name: /etc/pki/elasticfleet-lumberjack.p8
+
+elasticfleet_server_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-server.crt
+
+elasticfleet_server_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-server.key
+
+filebeat_p8:
+  file.absent:
+    - name: /etc/pki/filebeat.p8

salt/telegraf/config.sls

@@ -8,9 +8,6 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
-include:
-  - ssl
-
 # add Telegraf to monitor all the things
 tgraflogdir:
   file.directory:

salt/telegraf/enabled.sls

@@ -9,8 +9,9 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
-
 include:
+  - ca
+  - telegraf.ssl
   - telegraf.config
   - telegraf.sostatus
 
@@ -42,13 +43,9 @@ so-telegraf:
       - /proc:/host/proc:ro
       - /nsm:/host/nsm:ro
       - /etc:/host/etc:ro
-      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
+      - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro
+      - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro
       - /opt/so/conf/telegraf/scripts:/scripts:ro
       - /opt/so/log/stenographer:/var/log/stenographer:ro
       - /opt/so/log/suricata:/var/log/suricata:ro
@@ -71,21 +68,20 @@ so-telegraf:
       {% endfor %}
     {% endif %}
     - watch:
+      - file: trusttheca
+      - x509: telegraf_crt
+      - x509: telegraf_key
       - file: tgrafconf
       - file: node_config
     {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
       - file: tgraf_sync_script_{{script}}
     {% endfor %}
-    - require: 
+    - require:
+      - file: trusttheca
+      - x509: telegraf_crt
+      - x509: telegraf_key
       - file: tgrafconf
       - file: node_config
-      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
-      - x509: influxdb_crt
-      - x509: influxdb_key
 
 delete_so-telegraf_so-status.disabled:
   file.uncomment:

salt/telegraf/ssl.sls

@@ -0,0 +1,66 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+telegraf_key:
+  x509.private_key_managed:
+    - name: /etc/pki/telegraf.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/telegraf.key') -%}
+    - prereq:
+      - x509: /etc/pki/telegraf.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the talking to telegraf
+telegraf_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/telegraf.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: influxdb
+    - private_key: /etc/pki/telegraf.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+telegraf_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/telegraf.key
+    - mode: 640
+    - group: 939
+
+{%   if not GLOBALS.is_manager %}
+{# Prior to 2.4.220, minions used influxdb.crt and key for telegraf #}
+remove_influxdb.crt:
+  file.absent:
+    - name: /etc/pki/influxdb.crt
+
+remove_influxdb.key:
+  file.absent:
+    - name: /etc/pki/influxdb.key
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/top.sls

@@ -37,6 +37,7 @@ base:
   'not ( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}}':
     - match: compound
     - salt.minion
+    - ca
     - patch.os.schedule
     - motd
     - salt.minion-check
@@ -49,6 +50,7 @@ base:
   '( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
     - salt.minion
+    - ca
     - patch.os.schedule
     - motd
     - salt.minion-check
@@ -61,8 +63,6 @@ base:
     - match: compound
     - salt.master
     - sensor
-    - ca
-    - ssl
     - registry
     - manager
     - backup.config_backup
@@ -91,8 +91,6 @@ base:
     - match: compound
     - salt.master
     - sensor
-    - ca
-    - ssl
     - registry
     - manager
     - backup.config_backup
@@ -124,8 +122,6 @@ base:
   '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
     - salt.master
-    - ca
-    - ssl
     - registry
     - nginx
     - influxdb
@@ -157,8 +153,6 @@ base:
   '*_managersearch and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
     - salt.master
-    - ca
-    - ssl
     - registry
     - nginx
     - influxdb
@@ -187,8 +181,6 @@ base:
     - match: compound
     - salt.master
     - sensor
-    - ca
-    - ssl
     - registry
     - manager
     - nginx
@@ -212,7 +204,6 @@ base:
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
     - firewall
-    - ssl
     - elasticsearch
     - logstash
     - sensoroni
@@ -225,7 +216,6 @@ base:
   '*_sensor and G@saltversion:{{saltversion}}':
     - match: compound
     - sensor
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -241,7 +231,6 @@ base:
   '*_heavynode and G@saltversion:{{saltversion}}':
     - match: compound
     - sensor
-    - ssl
     - sensoroni
     - telegraf
     - nginx
@@ -259,7 +248,6 @@ base:
 
   '*_receiver and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -271,7 +259,6 @@ base:
 
   '*_idh and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -280,7 +267,6 @@ base:
 
   '*_fleet and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -293,7 +279,6 @@ base:
 
   '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -304,7 +289,6 @@ base:
     - stig
   
   '*_desktop and G@saltversion:{{saltversion}}':
-    - ssl
     - sensoroni
     - telegraf
     - elasticfleet.install_agent_grid

setup/so-functions

@@ -1121,16 +1121,6 @@ generate_ca() {
 	logCmd "openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates"
 }
 
-generate_ssl() {
-	# if the install type is a manager then we need to wait for the minion to be ready before trying
-	# to run the ssl state since we need the minion to sign the certs
-	if [[ $waitforstate ]]; then
-		(wait_for_salt_minion "$MINION_ID" "5" '/dev/stdout' || fail_setup) 2>&1 | tee -a "$setup_log"
-	fi
-	info "Applying SSL state"
-	logCmd "salt-call state.apply ssl -l info"
-}
-
 generate_passwords(){
   title "Generate Random Passwords"
   INFLUXPASS=$(get_random_value)
@@ -1644,7 +1634,7 @@ reinstall_init() {
 
 	{
 		# remove all of root's cronjobs
-		logCmd "crontab -r -u root"
+		crontab -r -u root
 
 		if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
@@ -1654,8 +1644,7 @@ reinstall_init() {
 			salt-call -l info saltutil.kill_all_jobs --local
 		fi
 
-		logCmd "salt-call state.apply ca.remove -linfo --local --file-root=../salt"
-		logCmd "salt-call state.apply ssl.remove -linfo --local --file-root=../salt"
+		salt-call state.apply ca.remove -linfo --local --file-root=../salt
 
 		# Kill any salt processes (safely)
 		for service in "${salt_services[@]}"; do
@@ -1668,7 +1657,7 @@ reinstall_init() {
 			local count=0
 			while check_service_status "$service"; do
 				if [[ $count -gt $service_retry_count ]]; then
-					info "Could not stop $service after 1 minute, exiting setup."
+					echo "Could not stop $service after 1 minute, exiting setup."
 
 					# Stop the systemctl process trying to kill the service, show user a message, then exit setup
 					kill -9 $pid
@@ -1706,10 +1695,10 @@ reinstall_init() {
 		backup_dir /nsm/influxdb "$date_string"
 
 		# Uninstall local Elastic Agent, if installed
-		logCmd "elastic-agent uninstall -f"
+		elastic-agent uninstall -f
 
 		if [[ $is_deb ]]; then
-			info "Unholding previously held packages."
+			echo "Unholding previously held packages."
 			apt-mark unhold $(apt-mark showhold)
 		fi
 

setup/so-setup

@@ -773,12 +773,9 @@ if ! [[ -f $install_opt_file ]]; then
 		# wait here until we get a response from the salt-master since it may have just restarted
 		# exit setup after 5-6 minutes of trying
 		check_salt_master_status || fail  "Can't access salt master or it is not ready"
-		# apply the ca state to create the ca and put it in the mine early in the install
+		# apply the ca state to create the ca and symlink to local/salt/ca/files/ca.crt
 		# the minion ip will already be in the mine from configure_minion function in so-functions
 		generate_ca
-		# this will also call the ssl state since docker requires the intca
-		# the salt-minion service will need to be up on the manager to sign requests
-		generate_ssl
 		logCmd "salt-call state.apply docker"
 		firewall_generate_templates
 		set_initial_firewall_policy